Authentication hooks for post-authentication logic before OK packet

[ramnes]

Hey again!

I'd like to be able to execute custom logic after authentication succeeds or fails but before the packet is sent to the client: rejecting connections based on authorization rules, logging authentication failure, etc.

Right now, by the time NewCustomizedConn returns, the client has already received the authentication / handshake OK packet, so I can only reject on the first command rather than during the handshake.

What would you think of optional authentication hooks, e.g. OnAuthSuccess and OnAuthFailure?

We could either pass them to NewCustomizedConn, or replace CredentialProvider with a new interface that has a larger scope, e.g. something like AuthenticationHandler.

What do you think? Happy to discuss alternative approaches. :)

[ramnes]

A larger AuthenticationHandler interface could even bundle other changes for the issues discussed in #1069 and #1070:

type AuthenticationHandler interface {
	GetCredential(username string) (credential Credential, found bool, err error)

	// OnAuthSuccess is called after successful authentication, before the OK packet.
	// Return an error to reject the connection (error will be sent to client instead of OK).
	// Return nil to proceed with sending the OK packet.
	OnAuthSuccess(conn *Conn) error

	// OnAuthFailure is called when local authentication fails.
	// Return a backend connection to retry authentication against the backend
	// server using an auth switch request.
	// Return nil to reject the connection with the original error.
	OnAuthFailure(conn *Conn, err error) (*client.Conn, error)  // <-- Addresses #1070 (maybe?)
}

[lance6716]

Can the new methods be put inside Handler (I didn't implement a proxy using this package so have no taste)? I'm thinking of putting hooks together or putting authentication functions together. Will think about it later.

[ramnes]

Yeah we could definitely put them into Handler as well. It seemed more natural for me to keep Handler for commands but both work! Happy to do it the way you prefer.